How can we help?


“Systematic Failings” on Data Protection leads to a £15,000 fine

Following on from the case reported last month on data protection (”Failing to anonymise – the cost”), a nursing home in Northern Ireland has received a fine of £15,000 from the Information Commissioner’s Office (“ICO”), following the burglary of the home of one of its staff members.

During the burglary, an unencrypted work laptop was stolen. The laptop contained sensitive personal data, including medical information, on the nursing home’s 29 residents (including “do not resuscitate” orders) and personal data on the 46 members of staff.

The ICO’s subsequent investigation found the nursing home had no policies in place regarding the use of encryption, working from home and the storage of mobile devices. Data security training was also found to be lacking. In issuing the fine, the ICO said there had been “systematic failings” at the nursing home.

The fine was issued despite the nursing home referring themselves to the ICO, no complaints being made by any of the staff or residents’ families and no confirmation that the information had been further disseminated. In determining the level of the fine, the nursing home received some credit for having self-reported its breach to the ICO.

The ICO’s subsequent investigation found the nursing home had no policies in place regarding the use of encryption, working from home and the storage of mobile devices.

The amount of the fine reflected the size of the business, with the ICO stating that a bigger organisation experiencing a similarly serious breach should expect to receive a much larger fine. The case therefore acts as a timely reminder that all businesses must take their legal duties to look after personal data seriously and should ensure adequate policies, procedures and equipment are in place.  Simply having a work laptop password protected will not fulfil this duty.

For useful data protection factsheets, checklists and templates, please visit 

For further advice on how to protect your business against data protection and privacy claims, please contact our employment lawyers on 

About this article


This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

  • 19 July 2024
  • Immigration

UK Immigration Rules for Business Visitors: Flexibility and Controversies

The UK’s immigration rules have changed significantly in the past five years and have introduced greater flexibility for non-EEA nationals who wish to visit the UK as business visitors.

  • 17 July 2024
  • Commercial Real Estate

The Leasehold and Freehold Reform Act 2024: what does it mean for my leasehold property? 

The leasehold system in the UK has been subject to some unfavourable press for some time now.

  • 15 July 2024
  • Privacy and Data Protection

The duty to protect third parties: is your DSAR response compliant?

Responding to a data subject access request (DSAR) may feel like a daunting process. It requires a solid understanding of the data subject’s rights, and of the meaning of personal data.

  • 10 July 2024
  • Employment

Redundancy : Back to Basics FAQs

Redundancy can be a scary and overwhelming time both for employees being made redundant, and for those that have to make the decision. It is important for both parties to know their rights and obligations in this time.

  • 09 July 2024
  • Litigation and dispute resolution

Buyer Beware: Practical Guidance for Breach of Warranty in an SPA

Are you buying a business? Whether you are buying shares in a company or purchasing its assets… the general Latin common law principle “caveat emptor” applies.

  • 08 July 2024
  • Corporate and M&A

Navigating corporate transparency: ECCTA reforms series

This is the second article in a series exploring the changes brought by the Economic Crime and Corporate Transparency Act 2023 (ECCTA).